CVE-2023-29048
https://notcve.org/view.php?id=CVE-2023-29048
A component for parsing OXMF templates could be abused to execute arbitrary system commands that would be executed as the non-privileged runtime user. Users and attackers could run system commands with limited privilege to gain unauthorized access to confidential information and potentially violate integrity by modifying resources. The template engine has been reconfigured to deny execution of harmful commands on a system level. No publicly available exploits are known. Se podría abusar de un componente para analizar plantillas OXMF para ejecutar comandos arbitrarios del sistema que se ejecutarían como usuario de tiempo de ejecución sin privilegios. • http://packetstormsecurity.com/files/176421/OX-App-Suite-7.10.6-XSS-Command-Execution-LDAP-Injection.html http://seclists.org/fulldisclosure/2024/Jan/3 https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0005.json https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6248_7.10.6_2023-09-19.pdf • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2023-24600
https://notcve.org/view.php?id=CVE-2023-24600
OX App Suite before backend 7.10.6-rev37 allows authenticated users to bypass access controls (for reading contacts) via a move to their own address book. • http://seclists.org/fulldisclosure/2023/May/3 https://open-xchange.com •
CVE-2023-24597
https://notcve.org/view.php?id=CVE-2023-24597
OX App Suite before frontend 7.10.6-rev24 allows the loading (without user consent) of an e-mail message's remote resources during printing. • http://seclists.org/fulldisclosure/2023/May/3 https://open-xchange.com •
CVE-2023-24601
https://notcve.org/view.php?id=CVE-2023-24601
OX App Suite before frontend 7.10.6-rev24 allows XSS via a non-app deeplink such as the jslob API's registry sub-tree. • http://seclists.org/fulldisclosure/2023/May/3 https://open-xchange.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-24602
https://notcve.org/view.php?id=CVE-2023-24602
OX App Suite before frontend 7.10.6-rev24 allows XSS via data to the Tumblr portal widget, such as a post title. • http://seclists.org/fulldisclosure/2023/May/3 https://open-xchange.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •